Fleet owner's console
Issues contractors organization certificates with scopes: device groups, roles, privilege and duration ceilings.
Tessera Access · certificate login
Personal, accountable login for engineers and contractors on any device running Astra Linux or other Linux — from ATMs and POS terminals to industrial controllers. All rights live inside the certificate; all validation happens on the device itself. No network is needed at login time at all.
01 · How it works
The fleet owner issues the service organization a certificate with hard scopes. The organization issues its engineer an even narrower shift certificate. Stepping outside the scopes is impossible.
A bank, an industrial company, a critical-infrastructure operator. The root of trust — only the owner decides who may do what.
rights: entire fleetrights narrowed to the contractor's scope
The contractor. Issues credentials to its own engineers — but only inside the scopes it was given.
rights: region · 1 rolerights narrowed to a single shift
Arrives on site with a certificate on a USB stick or token. Needs no network.
rights: 1 device · 8 hleast privilege at login
Any device running Linux / Astra Linux. Verifies signatures, scopes, expiry and revocation — without a single network call.
offline validationThe guarantee lives on the device itself. Even if a contractor's issuing CA is compromised, it cannot produce a working certificate outside its scopes: a southern ATM rejects a "northern" contractor's certificate on its own, offline, based on its own signed data.
02 · Certificate issuance
No manual cryptography: the contractor's dispatcher issues a certificate in a web console, and the system keeps it inside the scopes.
Issues contractors organization certificates with scopes: device groups, roles, privilege and duration ceilings.
The dispatcher issues shift certificates to their engineers per work order — the form cannot step outside the organization's scopes.
Written to a USB stick or token (Rutoken / JaCarta) at the dispatcher's desk; short lifetime means a lost medium simply expires.
Next to the certificate the console places a fresh revocation list, configuration and updates — the device applies them at login on its own, after verifying the signature.
Who issued what, to whom, for which device and with which rights — and who delivered which update. CLI and API planned for ticket-system integrations.
03 · Operations
Fleets of tens of thousands of devices: delivery via signed files over any channel, login never waits for the network.
Roles, policies, revocation (CRL) and inventory for the whole fleet — in one Tessera Control; administrator ≠ auditor. You can also start with no server at all: roles and keys go into the device image.
Tessera Control · standalone works too
Privilege level = mandatory integrity level: the session opens with the exact label, checked bitwise. Signed components, works with the closed software environment enabled, login through the native fly-dm screen.
SE, MIC, closed software environment
Every login, logout and denial is an event in a hash-chained journal: tampering and deletion are visible. Uploaded to Control when connectivity exists; export via the engineer’s medium for air-gapped sites.
tamper-evident · works offline
Installation is a package plus configuration files; a built-in readiness self-check (doctor). The agent core is open source: your security team can see exactly what runs on the devices.
no DB · no daemons on the login path
A few devices, your maintenance scenarios, your contractors — and a before/after audit comparison.